CMMC-CCA Exam Question 101
An OSC is planning a CMMC Level 2 assessment that your C3PAO will conduct. In Phase 1.6.1 - Access and Verify Evidence, as the Lead Assessor, you are verifying the existence and accessibility of the evidence provided by the OSC. While reviewing the list of evidence mapped against the CMMC practices, you discover that the OSC cannot locate several critical system security policies for key IT systems supporting their DoD contracts. These missing policies are essential for demonstrating compliance with various CMMC practices related to access control, incident response, and system maintenance. What is the primary role of the CMMC Quality Assurance Professional (CQAP) regarding the Pre-Assessment Form?
CMMC-CCA Exam Question 102
During a CMMC assessment, the OSC provides a policy document that is signed by a manager who left the company six months ago. The OSC insists the policy is still enforced, and staff interviews confirm its use.
How should the Lead Assessor proceed?
How should the Lead Assessor proceed?
CMMC-CCA Exam Question 103
An OSC employs guards to protect the manufacturing shop where a magnetic radar-absorbing coating is manufactured. This specific coating is used by the Army for a particular fleet ofunmanned aerial vehicles (UAVs). The facility is under constant surveillance with the help of HD CCTVs. Within the OSC's facilities, there is a Vector Network Analyzer (VNA) that measures the reflection and transmission properties of the coating over a range of frequencies. Guards protect the OSC's anechoic chamber, and anyone entering must use an iris scanner and sign a physical form detailing their name and reason for being there. At the door is a huge sign reading "Authorized Personnel Only." Which of the following statements is true about handling the Vector Network Analyzer (VNA) in a CMMC assessment?
CMMC-CCA Exam Question 104
You are a CCA reviewing the security measures for a defense contractor seeking CMMC Level 2 compliance.
CMMC practice PE.L2-3.10.6 - Alternative Work Sites requires the organization to safeguard CUI at alternate work sites, like employee home offices. You are examining their list of safeguards and the system security plan to assess their compliance. When assessing a contractor's implementation of CMMC practice PE.
L2-3.10.6 - Alternative Work Sites, which of the following would be the least effective method for gathering information?
CMMC practice PE.L2-3.10.6 - Alternative Work Sites requires the organization to safeguard CUI at alternate work sites, like employee home offices. You are examining their list of safeguards and the system security plan to assess their compliance. When assessing a contractor's implementation of CMMC practice PE.
L2-3.10.6 - Alternative Work Sites, which of the following would be the least effective method for gathering information?
CMMC-CCA Exam Question 105
An OSC has provided its System Security Plan (SSP) as evidence for several CMMC practices related to system security. During your examination of the SSP, you discover a section outlining procedures for user access controls. However, upon further review, you find no mention of procedures for managing privileged accounts, which is a critical aspect of secure system access. According to the guidelines for examining evidence, what is the most appropriate course of action for the Lead Assessor in this scenario?